ПРОЕКТЫ 


  АРХИВ 


Apache-Talk @lexa.ru 

Inet-Admins @info.east.ru 

Filmscanners @halftone.co.uk 

Security-alerts @yandex-team.ru 

nginx-ru @sysoev.ru 

  СТАТЬИ 


  ПЕРСОНАЛЬНОЕ 


  ПРОГРАММЫ 



ПИШИТЕ
ПИСЬМА














     АРХИВ :: Security-alerts
Security-Alerts mailing list archive (security-alerts@yandex-team.ru)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[security-alerts] Debian hacking - new info



Оказывается, там использовалась эта новая уязвимость - Linux Kernel PRCTL Core 
Dump Handling Privilege Escalation 

http://www.debian.org/News/2006/20060713


Debian Server restored after Compromise

July 13th, 2006

One core Debian server has been reinstalled after a compromise and services 
have been restored. On July 12th the host gluck.debian.org has been compromised 
using a local root vulnerability in the Linux kernel. The intruder had access 
to the server using a compromised developer account.

The services affected and temporarily taken down are: cvs, ddtp, lintian, 
people, popcon, planet, ports and release.
Details

At least one developer account has been compromised a while ago and has been 
used by an attacker to gain access to the Debian server. A recently discovered 
local root vulnerability in the Linux kernel has then been used to gain root 
access to the machine.

At 02:43 UTC on July 12th suspicious mails were received and alarmed the Debian 
admins. The following investigation turned out that a developer account was 
compromised and that a local kernel vulnerability has been exploited to gain 
root access.

At 04:30 UTC on July 12th gluck has been taken offline and booted off trusted 
media. Other Debian servers have been locked down for further investigation 
whether they were compromised as well. They will be upgraded to a corrected 
kernel before they will be unlocked.

Due to the short window between exploiting the kernel and Debian admins 
noticing, the attacker hadn't had time/inclination to cause much damage. The 
only obviously compromised binary was /bin/ping.

The compromised account did not have access to any of the restricted Debian 
hosts. Hence, neither the regular nor the security archive had a chance to be 
compromised.

An investigation of developer passwords revealed a number of weak passwords 
whose accounts have been locked in response.

The machine status is here.
Kernel vulnerability

The kernel vulnerability that has been used for this compromise is referenced 
as CVE-2006-2451. It only exists in the Linux kernel 2.6.13 up to versions 
before 2.6.17.4, and 2.6.16 before 2.6.16.24. The bug allows a local user to 
gain root privileges via the PR_SET_DUMPABLE argument of the prctl function and 
a program that causes a core dump file to be created in a directory for which 
the user does not have permissions.

The current stable release, Debian GNU/Linux 3.1 alias 'sarge', contains Linux 
2.6.8 and is thus not affected by this problem. The compromised server ran 
Linux 2.6.16.18.

If you run Linux 2.6.13 up to versions before 2.6.17.4, or Linux 2.6.16 up to 
versions before 2.6.16.24, please update your kernel immediately.
About Debian





 




Copyright © Lexa Software, 1996-2009.